jollygoodcode.github.io icon indicating copy to clipboard operation
jollygoodcode.github.io copied to clipboard

Published 20 hours ago verified publisher icon jollygoodcode

Free SSL with CloudFlare and Heroku

Open winston opened this issue 9 years ago • 17 comments

Recently, I set up CloudFlare with Heroku to make good use of its Universal SSL and essentially made Dasherize https the poor man's way.

My aim was to get the following working:

  • http://dasherize.com redirects to https://www.dasherize.com
  • http://www.dasherize.com redirects to https://www.dasherize.com
  • https://dasherize.com redirects to https://www.dasherize.com
  • https://www.dasherize.com works!

Here are the steps to get that working:

1) Sign up for a CloudFlare account

Go to https://www.cloudflare.com/.

2) Add a website to CloudFlare

1

3) Configure CNAME

After you have scanned your website, you will probably see an A entry and a CNAME entry.

Modify (and/or delete) the A and CNAME entries so that they become:

  • CNAME, dasherize.com to Heroku domain name
  • CNAME, www to Heroku domain name

It might look strange to have two CNAME going to the same Heroku domain, but CloudFlare supports CNAME Flattening so we are good.

2

4) Wait for DNS to propagate

At this point, we can wait for DNS to propagate and when it's done:

  • http://dasherize.com redirects to https://dasherize.com
  • http://www.dasherize.com redirects to https://www.dasherize.com

And the DNS entries should look like so (with some information ommitted):

$ curl -I http://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I http://www.dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://www.dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I https://dasherize.com
HTTP/1.1 200 OK
Server: cloudflare-nginx
...
Via: 1.1 vegur

$ curl -I https://www.dasherize.com
HTTP/1.1 200 OK
Server: cloudflare-nginx
..
Via: 1.1 vegur

We are almost there, we are just left with redirecting http://dasherize.com to https://www.dasherize.com.

You might be thinking.. But why www? Everyone has different opinions.

5) Final Redirection

To redirect http://dasherize.com to https://www.dasherize.com, we need to include add a Page Rule that:

3

Forwards (301) https://dasherize.com/* to https://www.dasherize.com

And with that, the DNS entries will look like:

$ curl -I http://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I http://www.dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://www.dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I https://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Server: cloudflare-nginx
Location: https://www.dasherize.com/

$ curl -I https://www.dasherize.com
HTTP/1.1 200 OK
...
Server: cloudflare-nginx
Via: 1.1 vegur

6) Full SSL

Finally, go to the Crypto page, and make sure that you have selected the Full option for your SSL. You can read more about the differences by clicking on Help below the select options.

screen shot 2015-11-16 at 10 35 20 pm

With these 6 steps, you now have a SSL enabled site for $0, all thanks to CloudFlare's Full SSL option:

4

Since all Heroku apps comes free with https and that, quoting CloudFlare, "CloudFlare will not attempt to validate the certificate", hence it makes it easy for us to have the Dasherize site SSL-enabled.

Also, don't forget to set config.force_ssl = true in your Rails production.rb.

Thank you for reading.

@winston :pencil2: Jolly Good Code

About Jolly Good Code

Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source. Speak to us about your next big idea, or check out our projects.

winston avatar Nov 16 '15 14:11 winston

@winston tremendously helpful and cost saving tip!

joshteng avatar Nov 16 '15 17:11 joshteng

@joshteng ka-ching!

winston avatar Nov 16 '15 17:11 winston

:+1:

fadhlirahim avatar Nov 16 '15 17:11 fadhlirahim

@winston Nice that does the job in a few steps! I supposed for something more granular, https://github.com/tobmatth/rack-ssl-enforcer can be considered?

tmlee avatar Nov 16 '15 23:11 tmlee

@tmlee Yup. That gem seems to do the job.

winston avatar Nov 17 '15 01:11 winston

interesting.

faizalzakaria avatar Nov 17 '15 02:11 faizalzakaria

Thanks Winston!

the redirecting from http to https doesn't seem to be automatic. Did you have to turn it on somewhere? I get 200 OK's for both http and https.

lordhumunguz avatar Jan 04 '16 06:01 lordhumunguz

@4thethrillofit I do a 301 http -> https redirection at my DNS. fyi, using cloudflare. But I think if ure still using Rails, there's a config to force ssl I think.

joshteng avatar Jan 04 '16 06:01 joshteng

@4thethrillofit Is it a Rails app? As what @joshteng said:

Also, don't forget to set config.force_ssl = true in your Rails production.rb.

winston avatar Jan 04 '16 07:01 winston

Yep! @joshteng apparently they want you to use Page Rules

lordhumunguz avatar Jan 04 '16 07:01 lordhumunguz

@4thethrillofit it was weird at first but i got to love it fast enough. haha

joshteng avatar Jan 04 '16 09:01 joshteng

another day, another free SSL https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

... at no extra cost. SSL/TLS certificates provisioned through AWS Certificate Manager are free!

ACM will allow you to start using SSL in a matter of minutes. After your request a certificate, you can deploy it to your Elastic Load Balancers and your Amazon CloudFront distributions with a couple of clicks. After that, ACM can take care of the periodic renewals without any action on your part.

choonkeat avatar Jan 23 '16 04:01 choonkeat

Is dasherize.com hosting on heroku? I am using shared hosting, how can I make it work. In my case records looks like(I have removed 'A' records):

Type Name Value TTL
CNAME mydomain.xyz is an alias of clcp.hostingprovider.com Automatic
CNAME www is an alias of clcp.hostingprovider.com Automatic

still not working, I also tried the value of A record(which I've removed now) in place of CNAME's value. Can you suggest possible solution?

guptarohit avatar Jan 25 '16 22:01 guptarohit

@guptarohit Yes dasherize is hosted on heroku.

Is clcp.hostingprovider.com your actual application?

Is it because of a DNS propagation issue? Does it work already?

winston avatar Jan 26 '16 02:01 winston

@winston no clcp.hostingprovider.com is not my application. My application is hosted by a hosting provider. "clcp.hostingprovider.com" got inserted in CNAME while I setting up cloudflare. I'd just pointed my DNS to cloudflare's nameserver, that's all I did. There was some IP address in A record(which I have removed).

guptarohit avatar Jan 26 '16 08:01 guptarohit

Hmm.. First question.. does your hosting provider provide you with a https end point? If not, it's pretty futile to follow this guide. i.e. it only works with Heroku.

Next, is your application accessible via an IP address or URL? Try replacing "clcp.hostingprovider.com" with that. But again, if your app is not accessible at https://<ip or url> on your hosting provider, like I said, this won't work. Hope this clarifies.

winston avatar Jan 26 '16 08:01 winston

Exactly this is the problem, https://<ip or url does not resolve to my application. :+1: Thanks though for clearing my query. :smiley:

guptarohit avatar Jan 26 '16 08:01 guptarohit